The hidden world of DNS tunnelling

March 22, 2017

The Domain Name System (DNS) is a funny thing. To some it’s just part of the stack of protocols and systems that make up the internet, whereas to us at Nominet it’s our livelihood and passion. At its most basic, DNS is a simple digital signposting mechanism, enabling humans and machines to connect with each other by using relatively short, memorable addresses. For example, today, if you type the following address into your browser:

www.amazon.co.uk

the DNS would convert that into an Internet Protocol (IPv4) address that would look like this:

176.32.108.186

That address would then be used for your computer to connect and talk to Amazon’s web servers. Behind the scenes there’s a globally distributed network of servers belonging to your internet service provider, Nominet and others that makes this all happen, but at its heart the DNS is simply a modern telephone directory. It’s an incredibly efficient and scalable one at that, relying on multiple parties to do their bit in the chain in order that the whole process can happen in as little as a few milliseconds. At Nominet, we look after the lion’s share of the lookups for .uk addresses making sure that we hold the ‘authoritative’record for anything ending in .uk, co.uk (and others). We answer on average 3 billion queries per day and on a busy Christmas shopping day this can peak at over 5 billion.

It’s this simplicity and reliability that means, for most people, DNS is simply fire-and-forget. Frankly, that’s how it should be. But at Nominet, we are curious folk and we know that not all DNS queries are made equal. Just like physical road signs in real life, there are those seeking to find their way to the town centre to do their shopping, and there are those looking for directions in order to rob the local bank. We’ve known for a while that if you look at the way in which someone, or something makes a DNS query, you can try and infer the purpose of their visit.

What has piqued our interest lately are DNS queries that are much longer than normal. If you remember that the DNS was invented to create easy-to-remember addresses, then why would anyone create DNS entries that are virtually impossible to remember?

Despite its length, there’s absolutely nothing wrong with an address that looks like this:

queue.laserprinter.hrteam.operations.building4.mybusiness.co.uk

It’s unwieldy, but it’s obvious that this address is a hierarchy of facilities and departments made to segment a business into neat electronic chunks. But what if an address looked more like this:

c519c1a06cdbeb2bc499e22137fb48683858b345.simonmccalla.uk

It’s a little unusual, but there’s nothing inherently fishy about seemingly random character strings in DNS. Anyone familiar with cryptography might say that looks a lot like a ‘hash’ (it is in fact an SHA1 hash of ‘the quick brown fox’…).

It gets even more interesting if we see a number of these arriving in quick succession i.e:

511824ab23af99bb0a5b21dc8d3314ad9db43ba3.simonmccalla.uk

a9112a7990323041eb1901156d8c67a0f766a7f4.simonmccalla.uk

f08000ed33f4ea593619e0edd06ac8ee5b8413b6.simonmccalla.uk

46993e75c0117e77b1e55f4682e0193968e835ce.simonmccalla.uk

At this point, we’re starting to get suspicious – and rightly so. The above four lines are actually the first four lines of Edward Lear’s classic ‘The Owl and The Pussycat‘ poem ‘hashed’ to hide the content from prying eyes.

The question then becomes, why do this? Why send random encrypted poetry to Nominet’s DNS servers? The answer lies a few paragraphs above: very few people care much about DNS traffic and it is usually left unhindered and un-monitored on most networks.

What’s actually going on here is a process known as ‘DNS tunnelling’ – aka using the DNS not for looking up locations, but actually sending information. In order to make this work, instead of running an ordinary nameserver on my ‘simonmccalla.uk’ domain, I need to install a special piece of software that can receive these interesting lookups, decode them and store the hidden content for viewing later. In some cases I can get the software to then send back responses hidden deep in the DNS response.

This technique has been used for many years as a mechanism to get round WiFi paywall hotspots in airports and cafes and is documented in an excellent article by the Sans Institute. Why pay for data when you can sneakily get it for free? It all gets a little more serious, however, when we see this traffic coming from within corporate or government networks. This technique can be easily used to exfiltrate important or confidential data without it being spotted by normal mechanisms. Most organisations don’t choose (or have the capability) to monitor their DNS traffic in any detail and because of this simple hack, a vital doorway is left open for someone or something to move data outside of the organisation undiscovered.

In the summer of 2016, the cyber security company Infoblox reviewed the DNS traffic of over 500 large corporations and found nearly half of them showed evidence of DNS tunnelling on their networks. Now some of this will be perfectly innocent traffic, but it’s hard to tell if you can’t see it in the first place.

That’s why back in Oxford we’ve been building techniques and software to detect this and other cyber attacks from deep within the DNS traffic. Our turing technology and service is a result of this research and we’re helping global companies and the UK government to try and tackle this threat before someone causes real commercial or national damage. It really pays not just to put up big electronic walls around your company, but to make sure that nobody is tunnelling under them too.

Originally posted by Simon McCalla